Pipex's new account management website has angered its former customers by revealing that the ISP has retained personal details, including banking information, for up to 11 months after they quit their contract.
Mypipex.net opened for business late last week, and users on ISP forum thinkbroadband.com quickly noticed that …

COMMENTS

Absurd behaviour by Pipex

I left Pipex over 2 months ago, my email address with them still works (though I never actually used it) and I can still maintain my 50mb personal webspace from them.

Just tried logging into the new MyPipex site with my old user/pass and it worked, on the old system the user/pass stopped working on the day my ADSL service from them finished.

.

I can understand leaving the account 'live' for a short time after the user leaves so they can tie up loose ends to do with changing email addresses, but 11 month old user/pass still active? pure absurdity.

Eclipse seem to keep details as well

I just logged into my former ISP's user portal (Eclipse Internet) and can still access everything I could when I was a customer, including being able to see my credit card details. An appropriate email has just been sent to their customer services for an explanation. I ceased to be a customer of theirs back in August 2006!

It's a lot more than 11 months

Another reason why I left the idiots

I left in 0ct 2006 . And surprise surprise all my details are on there including all my statements . Im really quite annoyed at this . I have changed the details as I dont trust these folls not to leave it somewhere unsecure .

Mine still works as well

Freedom2Surf as well

After reading this story, I went to see if my details were still held by Freedom2Surf (who were bought by Pipex and then went down the toilet, hence my leaving them about 6 months ago), and lo and behold, I could still log in, all my details were still there including bank and credit card details.

Complain

To Pipex - haha, in my experience they don't give a toss. I only stay with them cos i usually solve my own problems. I pity the non-teccies who are given the runaround. (my neighbour is one of those unfortunate souls).

No, instead complain to the Information Commissioner, copying it in to Pipex. Mention that you believe they have breached the principles of the Data Protection Act in that data should not be retained for longer than is necessary - IMHO, 12 months is more than excessive

Everyone keeps your data

Sadly the rules on data retention are mostly ignored.

This is another example of a company simply getting caught out, but it is unlikely to change their practices.

While contracting in web development for inxs of 10 years, almost all the people i worked for had a simple policy of not deleting any customer data unless absolutely necessary ... "You never know when we might need it" was the usual justification.

This is compounded by weak laws and little incentive to obey them.

I personally think that we all should flip the laws on their head, meaning that I own my data, I am the only one that can use or sell it, and i have to be asked whether a company can keep it and for how long. Additionally large penalties should levied on companies that fail to respect my 'right' of ownership of my data.

Perhaps the system is broken

If you can't be sure that you haven't left data lying around, then the next best thing is to make sure that whatever you have left behind is of no use.

Just suppose credit card numbers changed per transaction, rather than every couple of years when a new card is issued. Then it wouldn't matter if someone else could see your credit card number, because it could not be used to initiate a new transaction.

That may not be practical, but a per-transaction authorisation token certainly is realisable.

In the meantime, reduce the spending limit on your credit card to no more than you could afford to lose irretrievably.

Surely not

Surely this is in line with a variety of legal obligations? Not least of which are the moneylaundering/identitytheft/terrorism/canwetakeyourfingerprintsanddnaforourdatabase regulations which have come in over the last few years?

There are several articles on the reg regarding new DOJ etc rules for dataretention for ISPs. It really shouldn't suprise anyone that this data is still around.